Method of verifiably sharing a secret in potentially asynchronous networks

ABSTRACT

In accordance with the present invention, there is provided a method for sharing a secret value x among n participating network devices via an asynchronous network. The n participating network devices comprises t faulty devices and k sub-devices capable of reconstructing the secret value x, wherein t&lt;n/3 and k&lt;n. The secret value x being provided by a distributor. The method comprising of deriving by the distributor share values s i  and subshare values s ij  of the secret value x by applying a linear secret sharing scheme and deriving verification values g s     ij    usable for verification of validity of the share values s i  and the subshare values s ij ; sending to each participating network device a share message comprising the corresponding subshare values s Ai ,s iA , s Bi ,s iB , s Ci ,s iC ; broadcasting a verification message comprising the verification values g s     ij   ; receiving by at least l participating network devices the verification message comprising the verification values g s     ij   , wherein n−t≧l≧2t+1, and performing the following steps 1) to 4) for each recipient network device, 1) if a share message comprising subshare values s ij  is received, determining the validity of the subshare values s ij  in dependence on the verification values g s     ij    and 2) broadcasting in the event of positive determination an agree message comprising an agree-value Y; 3) receiving l agree messages comprising the agree-values Y A , Y B , Y c ; 4) in the event of l received agree messages, obtaining the share value s i  either from the share message sent by the distributor D or from subshare values s ij  received from participating network devices and determining the validity of the subshare values s ij  in dependence on the verification values g s     ij   . In a second aspect of the present invention a method without broadcast is disclosed.

CROSS REFERENCE AND PRIORITY

This application filed under 35 USC 371, is cross-referenced with andclaims priority from International Patent Application PCT/IB02/00468filed on 15 Feb. 2002, and published in English with Publication No.WO02/087145 on 31 Oct. 2002, under PCT article 21(2), which in turnclaims priority of EP 01106633.9, filed on 16 Mar. 2001.

TECHNICAL FIELD

The present invention relates to a network whose processor nodesexchange information in an asynchronous fashion, and more particularly amethod for sharing a secret value among the nodes in a way that asufficiently large subset of the nodes can reconstruct the secret value,while a smaller set can not compromise it, even in the presence ofundetected malicious nodes.

BACKGROUND OF THE INVENTION

Secret sharing schemes protect the secrecy and integrity of informationby distributing the information over n different locations. Theinformation can only be recovered if one has access to a certain minimalnumber of locations. In particular, in a (k, n)-threshold scheme, klocations together can reconstruct the secret information, where k−1locations cannot get any information about it.

In H. Krawczyk et al. “Proactive secret sharing or: How to cope withperpetual leakage” In Crypto '95, pages 339-352, Santa Barbara, 1995, asynchronous proactive secret sharing scheme is presented. Therein, thelifetime of the system is divided into short time periods only, suchthat it is plausible to assume that an adversary cannot break into morethan k−1 locations during one time period. Further, the adversary isassumed to be transient, i.e. corrupted servers can be identified andrebooted, such that the adversary looses control over them, but stillremembers the last state of the server. At the beginning of each timeperiod, the system is refreshed such that the information, an adversarygathered in a previous period becomes obsolete. Refreshing the systeminvolves the generation of new random shares of the old secret.

An asynchronous verifiable secret sharing system has been proposed byRan Canetti and Tal Rabin, “Fast asynchronous Byzantine agreement withoptimal resilience” in STOC 93, pages 42-51, New York, 1993, basing onideas from Feldman and Micali, “An Optimal Probabilistic Protocol forSynchronous Byzantine Agreement”, STOC 88, pages 148-161, New York 1988.This scheme does not use public key cryptography, but has a very highmessage complexity.

It is an object of the present invention to create a verifiable secretsharing scheme for a potentially asynchronous network capable oftolerating a maximum of t faulty devices, processors or parties.Partially asynchronous network in that sense means that the network canwork either in synchronous or asynchronous mode, depending on thecircumstances and the given assumptions.

It is a further object of this invention to provide a method to beoperable among n processors or parties, where at most t<n/3 processorsare faulty, and further where the sharing can be achieved in constanttime with the number of messages being exchanged in the order of thesquare of n.

Glossary

The following are informal definitions to aid in the understanding ofthe description.

In Asynchronous Verifiable Secret Sharing (AVSS), a secret value x isshared by a dealer or distributor among n parties P₁, . . . , P_(n) suchthat each coalition of k−1 parties can not compromise x, while anycoalition of k or more parties can efficiently construct x. This is alsocalled (k, n) sharing, indicating that k out of n parties are requiredto reconstruct the secret value x.

Group: A group in the cryptographic sense is an algebraic system (G,*)consisting of a set of elements or numbers and a group operation (*)with some specified properties, where (*) is associative, has a neutralelement, and where every element in G has an inverse element.

The choice of the symbol (*) is arbitrary. In fact, the operation ofmost groups is denoted by either + or ·, and such groups are referred toas additive or multiplicative group, respectively.

For example, for any positive integer q, a set Z_(q) consists of theintegers 0, . . . , q−1, and it forms a group under the operation ofaddition modulo q. Moreover, the subset of Z_(q) consisting of thoseintegers relatively prime to a forms a group under multiplication moduloq, and is denoted Z_(q)*. In particular, if p is prime, then Z_(q)*consists of {1, . . . , p−1}, and is a group with p−1 elements.

Hash function: A hash function is a computationally efficient functionmapping binary strings of arbitrary length to binary strings of somefixed length.

Hybrid Failures

The method for achieving Byzantine Agreement can distinguish betweenseveral different ways in which a network device can fail. This couldfor example be

Byzantine Failures BF: If a byzantine failure BF occurs, the adversaryhas taken full control over the corresponding machine. All secrets thismachine has are handed over to the adversary, who now controls itsentire behavior.

Crash Failures CF: A crash failure CF simply means that thecorresponding machine stops working. This could happen anytime, i.e.,even in the middle of a broadcast or while sending a message. It isassumed that there is no mechanism other parties can reliably detectsuch a crash.

Link Failures LF: A link failure LF occurs when not a party, but aninterconnecting link becomes faulty. As the link has no access toauthentication keys, it is easy to prevent it from modifying orinserting messages. A faulty link could however delete messages, and itmight completely disconnect two parties.

Adversary Structure

An adversary structure T is a set of sets (coalitions) of parties whosecorruption the system should tolerate. This generalizes a thresholdscheme to be more flexible and adapt to environmental structures.

SUMMARY AND ADVANTAGES OF THE INVENTION

In accordance with the present invention, there is provided amachine-implementable method for sharing a secret value x among nparticipating network devices via an asynchronous network with privatelinks, i.e., the communication between honest participants can not beread by an adversary. The n participating network devices comprises tfaulty devices and k sub-devices capable of reconstructing the secretvalue x, wherein t<n/3 and k<n. The secret value x is provided by adistributor. The method comprising of deriving by the distributor sharevalues s_(i) and subshare values s_(ij) of the secret value x byapplying a linear secret sharing scheme and deriving verification valuesg^(s) ^(ij) usable for verification of validity of the share valuess_(i) and the subshare values s_(ij); sending to each participatingnetwork device a share message comprising the corresponding subsharevalues s_(Ai),s_(iA), s_(Bi),s_(iB), s_(Ci),s_(iC); broadcasting averification message comprising the verification values g^(s) ^(ij) ;receiving by at least l participating network devices the verificationmessage comprising the verification values g^(s) ^(ij) , whereinn−t≦l≦2t+1, and performing the following steps 1) to 4) for eachrecipient network device, 1) if a share message comprising subsharevalues s_(ij) is received, determining the validity of the subsharevalues s_(ij) in dependence on the verification values g^(s) ^(ij) and2) broadcasting in the event of positive determination an agree messagecomprising an agree-value Y; 3) receiving l agree messages comprisingthe agree-values Y_(A), Y_(B), Y_(C); 4) in the event of l receivedagree messages, obtaining the share value s_(i) either from the sharemessage sent by the distributor D or from subshare values s_(ij)received from participating network devices and determining the validityof the subshare values s_(ij) in dependence on the verification valuesg^(s) ^(ij) .

In a second aspect of the present invention, there is provided amachine-implementable method for sharing a secret value x among nparticipating network devices A, B, C via an asynchronous network, the nparticipating network devices A, B, C comprising t faulty devices and ksub-devices capable of reconstructing the secret value x, wherein t<n/3and k≦n−t, the secret value x being provided by a distributor D. Thismethod performs without broadcast.

The method turns out to be efficient and also theoretically nearlyoptimal in the sense that it withstands the maximum number of corruptedparties. Moreover, it is applicable in asynchronous environments andtolerates byzantine failures.

If some secret value x is already shared, the method can be used toshare a secret value y being 0. It can be verified using theverification values that the value of y really is 0.

By adding share values y_(i) of 0 to the share values x_(i) of x, thenew share values y_(i)+x_(i) share the secret x+0, i.e., x.

By doing so, new share values of the same secret value are generated,which can be used to render old shares that may have leaked to theadversary useless.

It is advantageously possible to modify the method in a way that everyparticipating network device with index i can derive all its subsharevalues s_(i1), to s_(in) and s_(1i) to s_(ni). This way, it is easy toefficiently incorporate an additional network device into a group ofparticipating network devices that share the secret value x, byreconstructing the corresponding subshare values s_((n+1)i) from theknown subshare values s_(1i) to s_(ni).

The subshare values s_(ij) and additional verification values can besent to each participating network device and upon receiving sufficientadditional verification values the verification values g^(s) ^(ij) canbe modified in dependence of the received additional verificationvalues. This has the advantage that the broadcast primitive used tobroadcast the verification message can be simplified and this causesless network communication.

If the step of obtaining the share value s_(i) from subshare valuess_(ij) received by participating network devices further comprisesbroadcasting a complain message and receiving the subshare values s_(ij)sent in response to the complain message, then the advantage occurs thatthe network traffic can be reduced in the case the distributor ishonest, which usually holds.

The verification values g^(s) ^(ij) can be derived by choosing a commonnumber g from a cryptographic group G corresponding to the linear secretsharing scheme and deriving the verification values g^(s) ^(ij) byraising the chosen common number g to the power of a linear function fof the share value s_(i). By doing so, a simple cryptographic primitivecan be used for the generation of the verification values g^(s) ^(ij) .

The verification values g^(s) ^(ij) can be derived using a hashfunction. This leads to smaller verification values g^(s) ^(ij) . Henceless data has to be transferred via the network.

Several secret values can be shared simultaneously. This is moreefficient due to synergy effects.

The number t of faulty devices can be seen as a set T of sets comprisingdifferent participating network devises, i.e. devices running differentoperating systems and within different locations. Moreover, theparticipating network devices can show hybrid failures, e.g. byzantinefailures, crash failures, and link failures, reflecting a differentstructure of the set T or different thresholds t_(i), with i=1, 2, . . .. This shows the flexibility of the protocol.

DESCRIPTION OF THE DRAWINGS

Preferred embodiments of the invention are described in detail below, byway of example only, with reference to the following schematic drawings.

FIG. 1 shows a typical asynchronous network with multiple participatingnetwork devices and a distributor.

FIG. 2 shows a schematic diagram of the asynchronous verifiable secretsharing scheme.

FIG. 3 shows a schematic diagram of the asynchronous verifiable secretsharing scheme without broadcast.

FIG. 4 shows a scenario of participating network devices distributed ina structured way.

The drawings are provided for illustrative purpose only and do notnecessarily represent practical examples of the present invention toscale.

DETAILED DESCRIPTION OF THE INVENTION

FIG. 1 shows an example of a common computer system 8, where a secretvalue x is shared. It consists of n=4 participating network devices A,B, C, and D which are connected via communication lines (1 through 5) toa network. The system comprises a distributor D, which is designated bythe “X”. Each participating network device A, B, C, D may be any type ofcomputer device known in the art from a computer on a chip or a wearablecomputer to a large computer system. The communication lines can be anycommunication means commonly known to transmit data or messages from oneparticipating network device A, B, C, D to another. For instance, thecommunication lines may be either single, bi-directional communicationlines 5 between each pair of participating network devices A, B, C, D orone unidirectional line in each direction between each pair ofparticipating network devices A, B, C, D. Such a computer system 8 andcommunication lines 5 are well known in the art. In the case where oneparticipating network device A, B, C sends information to itself, anequivalent result could be achieved by merely moving data within theparticipating network device and not sending it over a communicationline to itself. The common computer system 8 is shown to facilitate thedescription of the following asynchronous verifiable secret sharingprotocol. The same reference numbers are used to denote the same or likeparts.

FIG. 2 shows the general flow of the protocol for sharing a secret valuex among n participating network devices A, B, C via the asynchronousnetwork, whereby a series of messages being sent and received by eachparticipating network device A, B, C, D.

It is supposed that the distributor D wants to share the secret value x.At first, as indicated with box 10, the distributor D derives sharevalues s_(i) of the secret value x according to a normal linear secretsharing scheme, for example as described in A. Shamir, “How to share asecret”, Communications of the ACM 22 (1979), 612-613. In addition tothis, the distributor D also derives so-called subshares, also referredto as subshare values s_(ij). This means, for each share value s_(i) thedistributor D creates respective subshare values s_(ij). The subsharevalues s_(ij) can be achieved by another linear secret sharing schemewhich is independent of the creation of the share values s_(i).Alternatively, the secret value x can be shared using Shamir's schemewith a polynom over two variables. Furthermore, the distributor Dderives verification values g^(s) ^(ij) here by simple power operationsin a cryptographic group G. This verification values g^(s) ^(ij) areinterpreted as a verification table. The verification values g^(s) ^(ij)are usable for verification of validity of the share values s_(i) andthe subshare values s_(ij).

TABLE 1 X: = S₀₀ S₁: = S₁₀ S₂: = S₂₀ . . . S_(n): = S₃₀ S₀₁ S₁₁ S₂₁ . .. S_(n1) S₀₂ S₁₂ S₂₂ . . . S_(n2) . . . . . . . . . . . . . . . S_(0n)S_(1n) S_(2n) . . . S_(nn)

Table 1 shows the corresponding subshare values s_(ij) for eachrespective share value s_(i). All subshare values s_(ij) in a particularrow share the leftmost value in that row, while all subshare valuess_(ij) in a particular column share the uppermost value, the share values_(i).

Note that the value s₁₀ denotes the value shared by the values s₁₁, s₁₂. . . , s_(1n), while s₀₁ denotes the value shared by the values s₁₁,s₂₁ . . . , s_(n1).

It is an advantage that a crash or byzantine behavior of the distributorD in the middle of the protocol can be tolerated. If t+1 honestparticipating network devices A, B, C think they received valid sharevalues s_(i) of the secret value x, then all other honest participatingnetwork devices A, B, C can reconstruct their share values s_(i) of thesecret value x with the help of that t+1 participating network devicesA, B, C, even if they never heard from the distributor D at all.

However, it is still possible for a dishonest distributor D todistribute corrupt share values s_(i), i.e., share values s_(i) that donot combine to a unique secret value x. To deal with this problem, thedistributor D adds verification information that allows allparticipating network devices A, B, C to test the validity of the sharevalues s_(i) they received, without learning anything about the secretvalue x.

The distributor D sends to each participating network device A, B, C ashare message sm comprising the corresponding subshare valuess_(Ai),s_(iA), s_(Bi),s_(iB), s_(Ci),s_(iC), as indicated with box 20,and broadcasts a verification message vm comprising the verificationvalues g^(s) ^(ij) , as indicated with box 30. The broadcast can be areliable broadcast, as described in Cachin et al., “Secure and EfficientAsynchronous Broadcast Protocols”, Joe Kilian, editor, Advances inCryptology: CRYPTO 2001, volume 2139 of Lecture Notes in ComputerScience, pages 524-541, Springer, 2001. For the participating networkdevice A, B, C with index i, the subshare values s_(ij) which thedistributor D sends to this participating network device A, B, Ccorrespond to row and column i in Table 1. The steps indicated by boxes10, 20, and 30 are performed by the distributor D as indicated by thebox labeled with D.

The verification message vm comprises more information, being sufficientto verify all share values s_(i) and subshare values s_(ij) therecipient network device A, B, C will receive during the run of theprotocol.

The verification message vm is received by the participating networkdevices A, B, C, as indicated with box 40. The following steps areperformed by each recipient network device A, B, C.

If a share message sm comprising subshare values s_(ij) was received inthe previous step, then the validity of the subshare values s_(ij) independence on the verification values g^(s) ^(ij) is determined, asindicated with box 50. In the event of positive determination an agreemessage comprising an agree-value Y is broadcast, as indicated with box60. Then l agree messages, with n−t≦l≦2t+1, comprising the agree-valuesY_(A), Y_(B), Y_(C) will be received by the respective network device A,B, C, as indicated in box 70. The steps in box 70 and box 80 can also beexecuted by one participating network device A, B, C that did notperform the steps indicated by the boxes 40, 50, and 60, as it isindicated with the arrow labeled with 90.

In the event of l received agree messages, each participating networkdevice A, B, C obtains the share value s_(i) either from the sharemessage sm sent by the distributor D or from the subshare values s_(ij)received from the other participating network devices A, B, C. Thevalidity of the subshare values s_(ij) in dependence on the verificationvalues g^(s) ^(ij) is then determined. This is indicated with box 80.

Use of Commitments

For each share value s_(i) and subshare value s_(ij) the distributor Dcomputes a commitment function C(s_(i)) or C(s_(ij)), respectively. Thecommitments have the property that if the share values s_(i) andsubshare values s_(ij) combine to one secret value x and the share values_(i), then the C(s_(i)) (or C(s_(ij))) combine to one secret C(x) (orC(s_(i))).

One example is to use exponentation in a finite group G of prime order,i.e., C(s_(i))=g^(S) ^(i) , as demonstrated in Cachin et al., “RandomOracles in Constantinople: Practical Byzantine Agreement usingCryptography”, in PODC 00, Portland, Oreg., 2000.

It is possible though to use more advanced commitments, for examplePedersen commitments as described in T. Pedersen, “Non-interactive andinformation-theoretic secure verifiable secret sharing”, CRYPTO '91,volume 576 of Lecture Notes in Computer Science, pages 129-140,Springer-Verlag, 1992.

The commitments are distributed to all participating network devices A,B, C using a consistent broadcast, as in Cachin et al., “Secure andEfficient Asynchronous Broadcast ProtocolS”, Joe Kilian, editor,Advances in Cryptology: CRYPTO 2001, volume 2139 of Lecture Notes inComputer Science, pages 524-541, Springer, 2001, i.e., all participatingnetwork devices A, B, C receive the same commitments; this broadcast canbe simplified adding a new step to the protocol, as demonstrated whendescribing optimizing the communication complexity below.

The protocol then goes as follows:

-   1. The distributor D distributes all share values s_(i) and subshare    values s_(ij) to the participating network device A, B, C with the    index i and broadcasts the verification table within a respective    message.-   2. Each participating network device A, B, C that receives above    messages from the distributor D tests if    -   their share values s_(i) and subshare values s_(ji) correspond        to C(s_(i)) and C(s_(ji)) in the verification table;    -   C(s_(ij)) in the verification table combine to one unique        C(s_(i));    -   C(s_(ji)) in the verification table combine to some unique        value.-   3. If one participating network device A, B, C with index i receives    all share values s_(i) and subshare values s_(ji), and all tests are    ok, it broadcasts an “OK-Message”.-   4. When receiving sufficiently many, i.e., at least 2t+1,    OK-Messages, the respective participating network device A, B, C    with index i accepts the distributor D and its share value s_(i).-   5. If one participating network device A, B, C with index i did not    receive a valid share s_(i) yet, then it sends a complain message to    all participating network devices A, B, C. On receiving such a    complain message, the receiving participating network device A, B, C    with index j sends its subshare value s_(ij) to the complaining    participating network device A, B, C with index i. This    participating network device A, B, C then verifies the subshare    value s_(ij) using the verification table, and combines the valid    shares to s_(i).    Optimizing the Communication Complexity

The verification message vm comprising the verification table broadcastby the distributor D is relatively large, and can be optimized inseveral ways. Below, it is described how the protocol can be modified touse a cheaper broadcast primitive, as well as smaller verificationvalues:

-   -   Each participating network device A, B, C with index i receives        only its row i and column i of Table 1, i.e., for all j, s_(ij)        and s_(ji), and the corresponding verification values C(s_(ij))        and C(s_(ij)). Furthermore, each participating network device A,        B, C receives a hash value on each row and each column as well        as C(s_(j0)) and C(s_(0j)), where s_(j0) is the value shared by        s_(j1), . . . , s_(jn). These values might not be broadcast        consistently, i.e., every participating network device A, B, C        might get different values if the distributor D is dishonest.    -   On receiving the share message sm and verification message vm,        each participating network device A, B, C verifies the hash        values and verification values it has received, and re-computes        the verification values C(s_(j0)), C(s_(0j)), C(s_(ij)) and        C(s_(ij)) if necessary, i.e., if they do not correspond to the        share values s_(j0) and s_(0j) and the subshare values s_(ij)        and s_(ji).    -   The respective participating network device A, B, C sends the        subshare values s_(ij) and s_(ji) to the participating network        device A, B, C with index j, along with all hash values and        the—possibly re-computed—verification values.    -   The respective participating network device A, B, C waits until        receiving sufficiently, i.e., at least 2t+1, of the above        messages that agree on the hash values and comprise valid        subshare values s_(ij) and s_(ji) corresponding to said hash        value. Then it sends an OK-Message to each participating network        devices A, B, C.    -   On receiving sufficiently many, i.e., at least 2t+1 OK-Messages,        each participating network device A, B, C accepts the        distributor D. If necessary, the share value s_(i) is computed        form the subshare values s_(ij).

Note that the above method for optimizing the communication complexityis not intended to ensure agreement on whether or not the distributor Dis accepted; it is possible that some participating network device A, B,C does not terminate the protocol, while others do. It isstraightforward however to add a Byzantine agreement protocol to the endof the present protocol and ensure that if one participating networkdevice A, B, C accepts the distributor D and its share value s_(i), allhonest participating network devices A, B, C with index j accept thedistributor D and receive their share value s_(j).

Without Broadcast

It is possible to perform the protocol without broadcast and tointegrate the protocol for verifiable secret sharing with a reliablebroadcast. This has the advantage of further reducing the communicationload and the computation load because no consistent broadcast is used.Consistent broadcast involves complex digital signature computationswhich are avoided.

FIG. 3. shows a schematic diagram of such an asynchronous verifiablesecret sharing scheme without broadcast. The same parts signs orreference numerals are used to denote the same or like parts.

The protocol uses here three rounds of message exchanges:

As indicated with box 10, the distributor D derives share values s_(i)and subshare values s_(ij) of the secret value x by applying a linearsecret sharing scheme. Moreover, the distributor D derives verificationvalues g^(s) ^(ij) which are usable for verification of validity of theshare values s_(i) and the subshare values s_(ij). In the next step, box22, a first message (1st) comprising the corresponding subshare valuess_(Ai),s_(iA), s_(Bi),s_(iB), s_(Ci),s_(iC) and the verification valuesg^(s) ^(ij) are sent to each participating network device A, B, C.

For at least 2t+1 participating network devices A, B, C the followingsteps i.) to vii.) for each participating network device A, B, C, withindex i are performed.

-   i.) Each participating network device A, B, C with index i that    receives the first message (1st:) from the distributor D determines    the validity of all the subshare values s_(ij),s_(ji), for i=1, . .    . , n and j=1, . . . , n, in dependence on the verification values    g^(s) ^(ij) , g^(s) ^(ji) as indicated with box 32.-   ii.) In the event of positive determination, the participating    network device with index i derives from the received subshare    values s_(ij),s_(ji) relevant subshare values s_(im),s_(mi) which    being in common with the other participating network devices A, B,    C, with index m. Then, the participating network device with index i    sends a second message (2nd) comprising the verification values    g^(s) ^(rj) , for r=1, . . . , n and j=1, . . . , n, and the    relevant subshare values s_(im),s_(mi) to each participating network    device A, B, C, with index m, as indicated with box 34.-   iii.) If the second message (2nd:) is received from one    participating network device A, B, C, with index j the validity of    the received subshare values s_(ij),s_(ji) is determined in    dependence on the verification values g^(s) ^(ij) , g^(s) ^(ji) by    participating network devices A, B, C with index i, as indicated    with box 42.-   iv.) In the event of positive determination for 2t+1 received second    messages (2nd:), as indicated with box 44, a third message (3rd)    comprising the verification values g^(s) ^(rj) and the relevant    subshare values s_(im),s_(mi) is sent to each participating network    device A, B, C, with index m, as indicated with box 46. In the event    that no first message (1st:) has been received, the relevant    subshare values s_(im),s_(mi) are derived from the received second    messages (2nd:), as it is indicated with the arrow labeled with 92.-   v.) If the third message (3rd:) is received from one participating    network device A, B, C, with index j the validity of the received    subshare values s_(ij),s_(ji) is determined in dependence on the    verification values g^(s) ^(ij) , g^(s) ^(ji) , as indicated with    box 52.-   vi.) In the event of positive determination for t+1 received third    messages (3rd:) and not having sent the third message (3rd), as    indicated with box 54, one third message (3rd) comprising the    verification values g^(s) ^(rj) and the relevant subshare values    s_(im),s_(mi) is sent to each participating network device A, B, C,    with index m, as indicated with box 56. In the event that no first    message (1st:) has been received the relevant subshare values    s_(im),s_(mi) are derived from the received second or third messages    (2nd:, 3rd:), as it is indicated with the arrow labeled with 94 for    the received third messages (3rd:).-   vii.) In the event of positive determination for 2t+1 received third    messages, as indicated with box 58, the share value s_(i) is derived    from the received first, second, or third messages (1st:, 2nd:,    3rd:), as indicated with box 80. That means the share value s_(i)    form the distributor D is accepted.

The more efficient protocol can be combined with the method to usecommitments and with the method to optimize the communicationcomplexity. The protocol that results from this has the advantage offurther reduced communication and computation complexity. It is anadvantage that it also ensures an agreement on whether the distributor Dis accepted or not, so that each participating network device A, B, Cterminates if and only if every other participating network device A, B,C does so.

Hybrid Adversary Structures

Instead of a fixed threshold of t out of n corruptions, it is possibleto gain more flexibility by reflecting real-world structures.

For example, an adversary could be able to control all participatingnetwork devices with a certain operating system, or he might bribe onesystem administrator to get access to all participating network devicesat a specific site. Adversary structures cope with such an attackscheme.

To define an adversary structure T, one has to define every coalition ofparties whose corruption the system should tolerate, e.g., a coalitionof all participating network devices with the same operating system. Theset of all those sets then is the adversary structure T.

FIG. 4 illustrates a scenario of 19 sites of participating networkdevices P₁ to P₁₉ distributed in a structured way, i.e. eachparticipating network device P₁ to P₁₉ has an operating system OS-1 toOS-4 and a location within a county C1 to C4. By conventional t−out of nstructures, any set of six (Byzantine) failing participating networkdevices can be tolerated. Using the corresponding adversary structures,one can tolerate simultaneous failures of one operating system and onelocation. In the present example, this can be up to 10 participatingnetwork devices (e.g., failure of all participating network devices inthe fourth country C4 or with the first operating system OS-1), or lessthan four if the corruptions are well distributed, i.e., fourparticipating network devices covering all countries and all operatingsystems.

In the protocol for sharing a secret x, several types of failures canoccur simultaneously. For example, it could differ between crashfailures CF, byzantine failures BF, and link failures LF. This allowsfor a higher number overall number of failures to be tolerated.

The present invention can be realized in hardware, software, or acombination of hardware and software. Any kind of computer system—orother apparatus adapted for carrying out the method described herein—issuited. A typical combination of hardware and software could be ageneral purpose computer system with a computer program that, when beingloaded and executed, controls the computer system such that it carriesout the methods described herein. The present invention can also beembedded in a computer program product, which comprises all the featuresenabling the implementation of the methods described herein, andwhich—when loaded in a computer system—is able to carry out thesemethods.

Computer program means or computer program in the present context meanany expression, in any language, code or notation, of a set ofinstructions intended to cause a system having an information processingcapability to perform a particular function either directly or aftereither or both of the following a) conversion to another language, codeor notation; b) reproduction in a different material form.

1. Method for sharing a secret value (x) among n participating networkdevices (A, B, C) via an asynchronous network, the n participatingnetwork devices (A, B, C) comprising t faulty devices and k sub-devicescapable of reconstructing the secret value (x), wherein t<n/3 and k<n,the secret value (x) being provided by a distributor (D), comprising ofthe following steps: deriving by the distributor (D) share values(s_(i)) and subshare values (s_(ij)) of the secret value (x) by applyinga linear secret sharing scheme and deriving verification values (g^(s)^(ij) ) usable for verification of validity of the share values (s_(i))and the subshare values (s_(ij)); sending to each participating networkdevice (A, B, C) a share message comprising the corresponding subsharevalues (s_(Ai),s_(iA), s_(Bi),s_(iB), s_(Ci),s_(iC)); broadcasting averification message comprising the verification values (g^(s) ^(ij) );receiving by at least l participating network devices (A, B, C) theverification message comprising the verification values (g^(s) ^(ij) ),wherein n−t≧l≧2t+1, and performing the steps 1) to 4) for each recipientnetwork device (A, B, C), 1) if the share message comprising subsharevalues (s_(ij)) is received, determining the validity of the subsharevalues (s_(ij)) in dependence on the verification values (g^(s) ^(ij) )and 2) broadcasting in the event of positive determination an agreemessage comprising an agree-value (Y); 3) receiving l agree messagescomprising the agree-values (Y_(A), Y_(B), Y_(C)); 4) in the event of lreceived agree messages, obtaining the share value (s_(i)) either fromthe share message sent by the distributor (D) or from subshare values(s_(ij)) received from participating network devices (A, B, C), anddetermining the validity of the subshare values (s_(ij)) in dependenceon the verification values (g^(s) ^(ij) ).
 2. Method according to claim1, wherein step 1) further comprises sending to each participatingnetwork device (A, B, C) its subshare values (s_(ij)) and additionalverification values, and upon receiving l additional verification valuesmodifying the verification values (g^(s) ^(ij) ) in dependence of thereceived additional verification values.
 3. Method according to claim 1,wherein the step of obtaining the share value (s_(i)) from subsharevalues (s_(ij)) received from participating network devices (A, B, C)further comprises broadcasting a complain message and receiving thesubshare values (s_(ij)) sent in response to the complain message. 4.Method according to claim 1, wherein the verification values (g^(s)^(ij) ) are derived by choosing a common number (g) from a cryptographicgroup G corresponding to the linear secret sharing scheme, deriving theverification values (g^(s) ^(ij) ) by raising the chosen common number(g) to the power of a monotone function ƒ of the share value (s_(i)). 5.Method according to claim 1, wherein the verification values (g^(s)^(ij) ) are derived using a hash function.
 6. Method according to claim1, wherein several secret values are shared simultaneously.
 7. Methodaccording to claim 1, wherein the number t of faulty devices is extendedto a set T of sets comprising participating network devises (A, B, C;P₁-P₁₉).
 8. Method according to claim 7, wherein the participatingnetwork devises (A, B, C; P₁-P₁₉) show hybrid failures (BF, CF, LF)reflecting a different structure of the set T or different thresholdst_(i), with i=1, 2, . . . m.
 9. An article of manufacture comprising acomputer usable medium having computer readable program code meansembodied therein for causing sharing a secret value, the computerreadable program code means is said article of manufacture comprisingcomputer readable program code means for causing a computer to effectthe steps of claim
 1. 10. A program storage device readable by machine,tangibly embodying a program of instructions executable by the machineto perform method steps for sharing a secret value, said method stepscomprising the steps of claim
 1. 11. Method for sharing a secret value(x) among n participating network devices (A, B, C) via an asynchronousnetwork, the n participating network devices (A, B, C) comprising tfaulty devices and k sub-devices capable of reconstructing the secretvalue (x), wherein t<n/3 and k<n−t, the secret value (x) being providedby a distributor (D), comprising of the following steps: deriving by thedistributor (D) share values (s_(i)) and subshare values (s_(ij)) of thesecret value (x) by applying a linear secret sharing scheme and derivingverification values (g^(s) ^(ij) ) usable for verification of validityof the share values (s_(i)) and the subshare values (s_(ij)); sending toeach participating network device (A, B, C) a first message comprisingthe corresponding subshare values (s_(Ai),s_(iA), s_(Bi),s_(iB),s_(Ci),s_(iC)) and the verification values (g^(s) ^(ij) ); for at least2t+1 participating network devices (A, B, C) performing the followingsteps for each participating network device (A, B, C, with index i): i.)if the first message comprising subshare values (s_(ij),s_(ji)) isreceived, determining the validity of the subshare values(s_(ij),s_(ji)) in dependence on the verification values (g^(s) ^(ij) ,g^(s) ^(ji) ); ii.) in the event of positive determination, derivingfrom the received subshare values (s_(ij),s_(ji)) relevant subsharevalues (s_(im),s_(mi)) being in common with the other participatingnetwork devices (A, B, C, with index m), and sending a second messagecomprising the verification values (g^(s) ^(rj) ) and the relevantsubshare values (s_(im),s_(mi)) to each participating network device (A,B, C, with index m); iii.) if the second message is received from oneparticipating network device (A, B, C, with index j), determining thevalidity of the received subshare values (s_(ij),s_(ji)) in dependenceon the verification values (g^(s) ^(ij) , g^(s) ^(ji) ); iv.) in theevent of positive determination for 2t+1 received second messages,sending a third message comprising the verification values (g^(s) ^(rj)) and the relevant subshare values (s_(im),s_(mi)) to each participatingnetwork device (A, B, C, with index m), in the event that no firstmessage has been received, deriving the relevant subshare values(s_(im),s_(mi)) from the received second messages; v.) if the thirdmessage is received from one participating network device (A, B, C, withindex j), determining the validity of the received subshare values(s_(ij),s_(ji)) in dependence on the verification values (g^(s) ^(ij) ,g^(s) ^(ji) ); vi.) in the event of positive determination for t+1received third messages and not having sent a third message, sending onethird message comprising the verification values (g^(s) ^(rj) ) and therelevant subshare values (s_(im),s_(mi)) to each participating networkdevice (A, B, C, with index m), in the event that no first message hasbeen received, deriving the relevant subshare values (s_(im),s_(mi))from the received second or third messages; vii.) in the event ofpositive determination for 2t+1 received third messages, deriving theshare value (s_(i)) from the received first, second, or third messages.12. An article of manufacture comprising a computer usable medium havingcomputer readable program code means embodied therein for causingsharing a secret value, the computer readable program code means in saidarticle of manufacture comprising computer readable program code meansfor causing a computer to effect the steps of claim
 11. 13. A computerprogram product comprising a computer usable medium having computerreadable program code means embodied therein for causing sharing asecret value (x), the computer readable program code means in saidcomputer program product comprising computer readable program code meansfor causing a computer to effect the functions of claim
 12. 14. Aprogram storage device readable by machine, tangibly embodying a programof instructions executable by the machine to perform method steps forsharing a secret value, said method steps comprising the steps of claim11.
 15. A computer program product comprising a computer usable mediumhaving computer readable program code means embodied therein for causingsharing a secret value (x), the computer readable program code means insaid computer program product comprising computer readable program codemeans for causing a computer to effect the functions of claim
 14. 16. Anapparatus for sharing a secret value (x) among n participating networkdevices (A, B, C) via an asynchronous network, the n participatingnetwork devices (A, B, C) comprising :t faulty devices and k sub-devicescapable of reconstructing the secret value (x), wherein t<n/3 and k<n,the secret value (x) being provided by a distributor (D), comprisingmeans for deriving by the distributor (D) share values (s_(i)) andsubshare values (s_(ij)) of the secret value (x) by applying a linearsecret sharing scheme and deriving verification values (g^(s) ^(ij) )usable for verification of validity of the share values (s_(i)) and thesubshare values (s_(ij)); means for sending to each participatingnetwork device (A, B, C) a share message comprising the correspondingsubshare values (s_(Ai),s_(iA), s_(Bi),s_(iB), s_(Ci),s^(iC)); means forbroadcasting a verification message comprising the verification values(g^(s) ^(ij) ); means for receiving by at least l participating networkdevices (A, B, C) the verification message comprising the verificationvalues (g^(s) ^(ij) ), wherein n−t≧l≧2t+1, and performing the steps 1)to 4) for each recipient network device (A, B, C), 1) if the sharemessage comprising subshare values (s_(ij)) is received, determining thevalidity of the subshare values (s_(ij)) in dependence on theverification values (g^(s) ^(ij) ) and 2) broadcasting in the event ofpositive determination an agree message comprising an agree-value (Y);3) receiving l agree messages comprising the agree-values (Y_(A), Y_(B),Y_(C)); 4) in the event of l received agree messages, obtaining theshare value (s_(i)) either from the share message sent by thedistributor (D) or from subshare values (s_(ij)) received fromparticipating network devices (A, B, C), and determining the validity ofthe subshare values (s_(ij)) in dependence on the verification values(g^(s) ^(ij) ).
 17. An apparatus for sharing a secret value (x) among nparticipating network devices (A, B, C) via an asynchronous network, then participating network devices (A, B, C) comprising t faulty devicesand k sub-devices capable of reconstructing the secret value (x),wherein t<n/3 and k≦n−t the secret value (x) being provided by adistributor (D), comprising: means for deriving by the distributor (D)share values (s_(i)) and subshare values (s_(ij)) of the secret value(x) by applying a linear secret sharing scheme and deriving verificationvalues (g^(s) ^(ij) ) usable for verification of validity of the sharevalues (s_(i)) and the subshare values (s_(ij)); means for sending toeach participating network device (A, B, C) a first message comprisingthe corresponding subshare values (s_(Ai),s_(iA), s_(Bi),s_(iB),s_(Ci),s_(iC)) and the verification values (g^(s) ^(ij) ); for at least2t+1 participating network devices (A, B, C) performing the followingsteps for each participating network device (A, B, C, with index i): i.)if the first message comprising subshare values (s_(ij),s_(ji)) isreceived, determining the validity of the subshare values(s_(ij),s_(ji)) in dependence on the verification values (g^(s) ^(ij) ,g^(s) ^(ji) ); ii.) in the event of positive determination, derivingfrom the received subshare values (s_(ij),s_(ji)) relevant subsharevalues (s_(im),s_(mi)) being in common with the other participatingnetwork devices (A, B, C, with index m), and sending a second messagecomprising the verification values (g^(s) ^(rj) ) and the relevantsubshare values (s_(im),s_(mi)) to each participating network device (A,B, C, with index m); iii.) if the second message is received from oneparticipating network device (A, B, C, with index j), determining thevalidity of the received subshare values (s_(ij),s_(ji)) in dependenceon the verification values (g^(s) ^(ij) , g^(s) ^(ji) ); iv.) in theevent of positive determination for 2t+1 received second messages,sending a third message comprising the verification values (g^(s) ^(rj)) and the relevant subshare values (s_(im),s_(mi)) to each participatingnetwork device (A, B, C, with index in), in the event that no firstmessage has been received, deriving the relevant subshare values(s_(im),s_(mi)) from the received second messages; v.) if the thirdmessage is received from one participating network device (A, B, C, withindex j), determining the validity of the received subshare values(s_(ij),s_(ji)) in dependence on the verification values (g^(s) ^(ij) ,g^(s) ^(ji) ); vi.) in the event of positive determination for t+1received third messages and not having sent a third message, sending onethird message comprising the verification values (g^(s) ^(rj) ) and therelevant subshare values (s_(im),s_(mi)) to each participating networkdevice (A, B, C, with index m), in the event that no first message hasbeen received, deriving the relevant subshare values (s_(im),s_(mi))from the received second or third messages; vii.) in the event ofpositive detennination for 2t+1 received third messages, deriving theshare value (s_(i)) from the received first, second, or third messages.